Whilst investigating hardening OpenWRT running on a MIPS SOC I noticed that several of the uClibc .so files (specifically, ld-uClibc-0.9.33.2.so, libcUclibc-0.9.33.2.so, librt-0.9.33.2.so and libpthread-0.9.33.2.so) did not have the NX flag set (a GNU_STACK not executable in readelf)
This was in spite of UCLIBC_BUILD_NOEXECSTACK=y. I have been working through multiple hardening guides which seem to vary, some state apply -Wl,-z,noexecstack at the linker, others imply that the code could be fixed at the assembler level with the linker fix being a 'last resort'. I do not have enough experience with uClibc to know which is the ideal solution, so my patch just applies the linker fix. My guess is that there are things done in code in those four DLL that misses out on the ASFLAGS, and from my basic understanding this means that the default condition gets applied to the entire file by the linker. My references include the Gentoo hardening guide and the Ubuntu Security Team Executable Stacks wiki page. This may be OK, but I propose this patch and leave it to anyone with more knowledge than myself to decide on its efficacy. Note this has only been tested on MIPS on a carambola2 SOC. Before/after testing can be done quickly using 'checksec.sh' from http://www.trapkit.de/tools/checksec.html >From some reading it is possible this may break on some environments (e.g. PPC???) without extra work to check. Whilst creating the patch I discovered that code in Rules.mak that exists to check if a flag is valid, cannot cope with flags with a comma. Fixing that is currently beyond me also! _______________________________________________ uClibc mailing list [email protected] http://lists.busybox.net/mailman/listinfo/uclibc
